[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Damian Menscher
damian at google.com
Sun Sep 4 04:07:25 UTC 2016
On Sat, Sep 3, 2016 at 8:23 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
> On 4 Sep 2016, at 8:42, Damian Menscher wrote:
>
> At that point the attacker could just hit the victim
>> directly.
>>
>
> That's the whole point of reflection - to do so *indirectly*, heh.
To what end? If they want to obfuscate the source IP, why not simply spoof
the source IPs in a direct attack? I maintain that amplification is key --
reflection is just a means to an end. (Reflection potentially makes
traceback slightly harder, but it's hard to imagine any attacker caring
about that.)
RRL applied at authoritative servers doesn't accomplish anything -- all
>> amplification attacks reflect off recursive resolvers, not authoritative
>> servers.
>>
>
> Actually, quite a bit of DNS reflection/amplification is direct from the
> initiators to the reflectors/amplifiers (in this case, the authoritative
> servers). There are essentially two variants of DNS
> reflection/amplification - one involving a tier of open recursors, the
> other not utilizing them.
>
> RRL on the authoritatives being used helps in either scenario.
>
No. Most attacks amplify off recursive resolvers, and those do a single
authoritative lookup which they then cache for its TTL. RRL does nothing
to help in this case.
I understand that RRL can help in the case of amplification directly off
authoritative servers, but I've never seen an attacker do that (or perhaps
just didn't notice).
Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160903/271f2afb/attachment.html>
More information about the dns-operations
mailing list